feat(parsers): add IriusRisk threat model CSV parser (#14384)

skywalke34 · Maffooch · web-flow · commit 0f89b0bfad94 · 2026-03-10T22:01:55.000-06:00
* test: add IriusRisk parser sample scan files

Authored by T. Walker - DefectDojo

* feat: add IriusRisk parser stub for auto-discovery

Authored by T. Walker - DefectDojo

* test: add IriusRisk parser unit tests (failing, TDD)

Authored by T. Walker - DefectDojo

* feat: implement IriusRisk CSV threat parser

Authored by T. Walker - DefectDojo

* docs: add IriusRisk parser documentation

Authored by T. Walker - DefectDojo

* fix: address gap analysis findings for IriusRisk parser

- Update test CSVs from 12 to 14 columns (add MITRE reference, STRIDE-LM)
- Parse MITRE reference: CWE-NNN extracts to cwe field, other values to references
- Include STRIDE-LM in description when populated
- Add Critical to severity mapping
- Change static_finding to False per connector spec
- Update documentation to reflect all changes
- Add tests for CWE extraction, references, STRIDE-LM, and Critical severity

Authored by T. Walker - DefectDojo

* fix: remove computed unique_id_from_tool from IriusRisk parser

Per PR review feedback, parsers must not compute unique_id_from_tool.
Removed SHA-256 hash generation and related tests. Deduplication now
relies on DefectDojo's default hashcode algorithm. Updated docs
to reflect the change.

Authored by T. Walker - DefectDojo

* docs: remove parser line numbers from IriusRisk documentation

Per PR review feedback, removed line number references from field
mapping tables and prose sections to reduce maintenance burden
when parser code changes.

Authored by T. Walker - DefectDojo

* fix: increase title truncation threshold from 150 to 500 characters

Per PR review feedback, expanded title field to use more of the
available 511 characters. Added test data with 627-char threat
to verify truncation behavior. Updated docs accordingly.

Authored by T. Walker - DefectDojo

* feat: add hashcode deduplication config for IriusRisk parser

Register IriusRisk Threats Scan in HASHCODE_FIELDS_PER_SCANNER and
DEDUPLICATION_ALGORITHM_PER_PARSER so deduplication uses title and
component_name rather than the legacy algorithm. These stable fields
ensure reimports match existing findings even when risk levels or
countermeasure progress change between scans. Update docs to match.

Authored by T. Walker - DefectDojo

* chore: retrigger CI checks

Authored by T. Walker - DefectDojo

---------

Co-authored-by: Cody Maffucci &lt;46459665+Maffooch@users.noreply.github.com&gt;
diff --git a/docs/content/supported_tools/parsers/file/iriusrisk.md b/docs/content/supported_tools/parsers/file/iriusrisk.md
@@ -0,0 +1,142 @@
+---
+title: "IriusRisk Threats Scan"
+toc_hide: true
+---
+
+The [IriusRisk](https://www.iriusrisk.com/) parser for DefectDojo supports imports from CSV format. This document details the parsing of IriusRisk threat model CSV exports into DefectDojo field mappings, unmapped fields, and transformation notes for easier troubleshooting and analysis.
+
+## Supported File Types
+
+The IriusRisk parser accepts CSV file format. To generate this file from IriusRisk:
+
+1. Log into your IriusRisk console
+2. Navigate to the project containing your threat model
+3. Export the threats as CSV
+4. Save the file with a `.csv` extension
+5. Upload to DefectDojo using the "IriusRisk Threats Scan" scan type
+
+## Default Deduplication Hashcode Fields
+
+DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
+
+- title
+- component_name
+
+### Sample Scan Data
+
+Sample IriusRisk scans can be found in the [sample scan data folder](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/iriusrisk).
+
+## Link To Tool
+
+- [IriusRisk](https://www.iriusrisk.com/)
+- [IriusRisk Documentation](https://support.iriusrisk.com/)
+
+## CSV Format (Threat Model Export)
+
+### Total Fields in CSV
+
+- Total data fields: 14
+- Total data fields parsed: 14
+- Total data fields NOT parsed: 0
+
+### CSV Format Field Mapping Details
+
+<details>
+<summary>Click to expand Field Mapping Table</summary>
+
+| Source Field             | DefectDojo Field     | Notes                                                                 |
+| ------------------------ | -------------------- | --------------------------------------------------------------------- |
+| Threat                   | title                | Truncated to 500 characters with "..." suffix if longer               |
+| Current Risk             | severity             | Mapped from IriusRisk risk levels to DefectDojo severity levels       |
+| Component                | component_name       | The affected asset or component from the threat model                 |
+| Threat                   | description          | Full threat text included as first line of structured description     |
+| Component                | description          | Included in structured description block                              |
+| Use case                 | description          | Threat category included in structured description                    |
+| Source                   | description          | Origin of the threat included in structured description               |
+| Inherent Risk            | description          | Pre-control risk level included in structured description             |
+| Current Risk             | description          | Current risk level included in structured description                 |
+| Projected Risk           | description          | Post-mitigation risk level included in structured description         |
+| Countermeasure progress  | description          | Percentage complete included in structured description                |
+| Weakness tests           | description          | Test status included in structured description                        |
+| Countermeasure tests     | description          | Test status included in structured description                        |
+| Owner                    | description          | Conditionally appended to description only when present               |
+| STRIDE-LM               | description          | Conditionally appended to description only when present               |
+| Risk Response            | mitigation           | Mitigation status percentages from IriusRisk                          |
+| MITRE reference          | cwe                  | When value matches CWE-NNN pattern, integer is extracted to cwe field |
+| MITRE reference          | references           | When value does not match CWE pattern, stored as references           |
+
+</details>
+
+### Additional Finding Field Settings (CSV Format)
+
+<details>
+<summary>Click to expand Additional Settings Table</summary>
+
+| Finding Field    | Default Value                    | Notes                                                       |
+| ---------------- | -------------------------------- | ----------------------------------------------------------- |
+| static_finding   | False                            | Threat model data is neither static nor dynamic analysis    |
+| dynamic_finding  | False                            | Threat model data is neither static nor dynamic analysis    |
+| active           | True (False when "Very low")     | Set to False when Current Risk is "Very low" (fully mitigated) |
+
+</details>
+
+## Special Processing Notes
+
+### Status Conversion
+
+IriusRisk uses a five-level risk scale that is mapped to DefectDojo severity levels:
+
+- `Critical` → Critical
+- `High` → High
+- `Medium` → Medium
+- `Low` → Low
+- `Very low` → Info
+
+Any unrecognized risk value defaults to Info. The mapping uses the "Current Risk" column, which reflects the risk level accounting for existing controls and represents the most accurate current exposure.
+
+### Title Format
+
+Finding titles are derived from the "Threat" column. Threat descriptions longer than 500 characters are truncated to 497 characters with a "..." suffix appended. Shorter threat texts are used as-is without modification.
+
+### Description Construction
+
+The parser constructs a structured markdown description containing all relevant CSV fields:
+
+1. Full threat text (untruncated, regardless of title truncation)
+2. Component name
+3. Use case (threat category, e.g., "Elevation of Privilege", "Networking")
+4. Source (e.g., "Created by Rules Engine")
+5. Inherent Risk (pre-control risk level)
+6. Current Risk (risk with existing controls)
+7. Projected Risk (risk after planned mitigations)
+8. Countermeasure Progress (percentage complete)
+9. Weakness Tests (test status)
+10. Countermeasure Tests (test status)
+11. Owner (conditionally included only when the field contains a value)
+12. STRIDE-LM (conditionally included only when the field contains a value)
+
+Each field is formatted as a bold markdown label followed by the value, with fields separated by newlines.
+
+### MITRE Reference / CWE Extraction
+
+The parser reads the "MITRE reference" column and applies conditional mapping:
+
+- If the value matches the pattern `CWE-NNN` (e.g., "CWE-284"), the integer portion is extracted and set on the finding's `cwe` field.
+- If the value is present but does not match the CWE pattern (e.g., "T1059" for a MITRE ATT&CK technique), the full value is stored in the finding's `references` field.
+- If the column is empty, neither field is set.
+
+### Mitigation Construction
+
+The mitigation field is populated directly from the "Risk Response" column, which contains the IriusRisk mitigation status in the format: "Planned mitigation: X%. Mitigated: Y%. Unmitigated: Z%." This preserves the original IriusRisk mitigation tracking percentages.
+
+### Active/Inactive Logic
+
+Findings are set to active by default. When the "Current Risk" value is "Very low", the finding is set to inactive, as this indicates the threat has been fully mitigated through implemented countermeasures.
+
+### Deduplication
+
+Deduplication uses DefectDojo's hashcode algorithm with the title and component_name fields to identify duplicate findings. These stable fields ensure that reimports correctly match existing findings even when risk levels or countermeasure progress change between scans.
+
+### Duplicate Rows in Source Data
+
+IriusRisk CSV exports can contain multiple rows with the same Component and Threat but different Risk Response values. These represent distinct countermeasure paths for the same threat. Each row is imported as a separate finding, distinguished by its description content which incorporates all CSV fields.
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1488,6 +1488,7 @@ def saml2_attrib_map_format(din):
     "Snyk Issue API Scan": ["vuln_id_from_tool", "file_path"],
     "OpenReports": ["vulnerability_ids", "component_name", "component_version", "severity"],
     "n0s1 Scanner": ["description"],
+    "IriusRisk Threats Scan": ["title", "component_name"],
     "Orca Security Alerts": ["title", "component_name"],
 }
 
@@ -1753,6 +1754,7 @@ def saml2_attrib_map_format(din):
     "OpenVAS Parser v2": DEDUPE_ALGO_HASH_CODE,
     "Snyk Issue API Scan": DEDUPE_ALGO_HASH_CODE,
     "OpenReports": DEDUPE_ALGO_HASH_CODE,
+    "IriusRisk Threats Scan": DEDUPE_ALGO_HASH_CODE,
     "Orca Security Alerts": DEDUPE_ALGO_HASH_CODE,
 }
 
diff --git a/dojo/tools/iriusrisk/__init__.py b/dojo/tools/iriusrisk/__init__.py
@@ -0,0 +1 @@
+
diff --git a/dojo/tools/iriusrisk/parser.py b/dojo/tools/iriusrisk/parser.py
@@ -0,0 +1,99 @@
+import csv
+import io
+import re
+
+from dojo.models import Finding
+
+SEVERITY_MAPPING = {
+    "Very low": "Info",
+    "Low": "Low",
+    "Medium": "Medium",
+    "High": "High",
+    "Critical": "Critical",
+}
+
+
+class IriusriskParser:
+
+    def get_scan_types(self):
+        return ["IriusRisk Threats Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return scan_type
+
+    def get_description_for_scan_types(self, scan_type):
+        return "Import IriusRisk threat model CSV exports."
+
+    def get_findings(self, filename, test):
+        content = filename.read()
+        if isinstance(content, bytes):
+            content = content.decode("utf-8")
+        reader = csv.DictReader(io.StringIO(content), delimiter=",", quotechar='"')
+        findings = []
+        for row in reader:
+            component = (row.get("Component") or "").strip()
+            use_case = (row.get("Use case") or "").strip()
+            source = (row.get("Source") or "").strip()
+            threat = (row.get("Threat") or "").strip()
+            risk_response = (row.get("Risk Response") or "").strip()
+            inherent_risk = (row.get("Inherent Risk") or "").strip()
+            current_risk = (row.get("Current Risk") or "").strip()
+            countermeasure_progress = (row.get("Countermeasure progress") or "").strip()
+            weakness_tests = (row.get("Weakness tests") or "").strip()
+            countermeasure_tests = (row.get("Countermeasure tests") or "").strip()
+            projected_risk = (row.get("Projected Risk") or "").strip()
+            owner = (row.get("Owner") or "").strip()
+            mitre_reference = (row.get("MITRE reference") or "").strip()
+            stride_lm = (row.get("STRIDE-LM") or "").strip()
+
+            # Title: truncate to 500 chars with ellipsis if needed
+            title = threat[:497] + "..." if len(threat) > 500 else threat
+
+            severity = SEVERITY_MAPPING.get(current_risk, "Info")
+
+            # Build description with all available fields
+            description_parts = [
+                f"**Threat:** {threat}",
+                f"**Component:** {component}",
+                f"**Use Case:** {use_case}",
+                f"**Source:** {source}",
+                f"**Inherent Risk:** {inherent_risk}",
+                f"**Current Risk:** {current_risk}",
+                f"**Projected Risk:** {projected_risk}",
+                f"**Countermeasure Progress:** {countermeasure_progress}",
+                f"**Weakness Tests:** {weakness_tests}",
+                f"**Countermeasure Tests:** {countermeasure_tests}",
+            ]
+            if owner:
+                description_parts.append(f"**Owner:** {owner}")
+            if stride_lm:
+                description_parts.append(f"**STRIDE-LM:** {stride_lm}")
+            description = "\n".join(description_parts)
+
+            # Extract CWE from MITRE reference if present
+            cwe = None
+            references = ""
+            if mitre_reference:
+                cwe_match = re.match(r"CWE-(\d+)", mitre_reference)
+                if cwe_match:
+                    cwe = int(cwe_match.group(1))
+                else:
+                    references = mitre_reference
+
+            finding = Finding(
+                test=test,
+                title=title,
+                severity=severity,
+                description=description,
+                mitigation=risk_response,
+                component_name=component,
+                active=current_risk != "Very low",
+                static_finding=False,
+                dynamic_finding=False,
+            )
+            if cwe:
+                finding.cwe = cwe
+            if references:
+                finding.references = references
+            findings.append(finding)
+        return findings
diff --git a/unittests/scans/iriusrisk/many_vulns.csv b/unittests/scans/iriusrisk/many_vulns.csv
@@ -0,0 +1,8 @@
+"Component","Use case","Source","Threat","Risk Response","Inherent Risk","Current Risk","Countermeasure progress","Weakness tests","Countermeasure tests","Projected Risk","Owner","MITRE reference","STRIDE-LM"
+"Router","Elevation of Privilege","Created by Rules Engine","Accessing functionality not properly constrained by ACLs","Planned mitigation: 0%. Mitigated: 0%. Unmitigated: 100%.","High","High","0%","Not tested","Not tested","High",,"CWE-284","Elevation of Privilege"
+"API UX Authorization Management","Read or Post data","Created by Rules Engine","An adversary attempts to exploit an application by injecting additional, malicious content during its processing","Planned mitigation: 100%. Mitigated: 0%. Unmitigated: 0%.","Medium","Medium","0%","Not tested","Not tested","Very low",,"T1059",
+"API BS Connection Interface Reporting","Read or Post data","Created by Rules Engine","An attacker crafts malicious web links and distributes them hoping to induce users to click on the link","Planned mitigation: 34%. Mitigated: 66%. Unmitigated: 0%.","High","Low","66%","Not tested","Not tested","Very low",,,
+"app-srec-audit-events","Networking","Created by Rules Engine","Access to network traffic from other containers creates the potential for various types of attacks such as denial of service or spoofing attack","Planned mitigation: 0%. Mitigated: 100%. Unmitigated: 0%.","High","Very low","100%","Not tested","Not tested","Very low",,,
+"API BS Service Provider","General","Created by Rules Engine","An attacker injects, manipulates or forges malicious log entries in the log file, allowing her to mislead a log audit, cover traces of attack, or perform other malicious actions","Planned mitigation: 100%. Mitigated: 0%. Unmitigated: 0%.","Medium","Medium","0%","Not tested","Not tested","Very low","John Smith",,
+"Database Server","Data Storage","Created by Rules Engine","An attacker targets the database server to exfiltrate sensitive records","Planned mitigation: 0%. Mitigated: 0%. Unmitigated: 100%.","Critical","Critical","0%","Not tested","Not tested","Critical",,,
+"Web Application Frontend","Input Validation","Created by Rules Engine","An attacker exploits insufficient input validation across multiple entry points in the web application frontend to inject malicious payloads that bypass security controls and propagate through downstream services including the API gateway, message queue processors, database abstraction layer, and caching infrastructure, potentially leading to remote code execution, privilege escalation, data exfiltration, cross-site scripting, server-side request forgery, and other attack vectors that compromise the confidentiality, integrity, and availability of the entire application stack and its associated microservices architecture","Planned mitigation: 50%. Mitigated: 25%. Unmitigated: 25%.","High","High","25%","Not tested","Not tested","Medium",,"CWE-20","Information Disclosure"
diff --git a/unittests/scans/iriusrisk/no_vuln.csv b/unittests/scans/iriusrisk/no_vuln.csv
@@ -0,0 +1 @@
+"Component","Use case","Source","Threat","Risk Response","Inherent Risk","Current Risk","Countermeasure progress","Weakness tests","Countermeasure tests","Projected Risk","Owner","MITRE reference","STRIDE-LM"
diff --git a/unittests/scans/iriusrisk/one_vuln.csv b/unittests/scans/iriusrisk/one_vuln.csv
@@ -0,0 +1,2 @@
+"Component","Use case","Source","Threat","Risk Response","Inherent Risk","Current Risk","Countermeasure progress","Weakness tests","Countermeasure tests","Projected Risk","Owner","MITRE reference","STRIDE-LM"
+"Router","Elevation of Privilege","Created by Rules Engine","Accessing functionality not properly constrained by ACLs","Planned mitigation: 0%. Mitigated: 0%. Unmitigated: 100%.","High","High","0%","Not tested","Not tested","High",,,
diff --git a/unittests/tools/test_iriusrisk_parser.py b/unittests/tools/test_iriusrisk_parser.py

Original file line number	Diff line number	Diff line change
`@@ -1488,6 +1488,7 @@ def saml2_attrib_map_format(din):`
`1488`	`1488`	`"Snyk Issue API Scan": ["vuln_id_from_tool", "file_path"],`
`1489`	`1489`	`"OpenReports": ["vulnerability_ids", "component_name", "component_version", "severity"],`
`1490`	`1490`	`"n0s1 Scanner": ["description"],`
	`1491`	`+ "IriusRisk Threats Scan": ["title", "component_name"],`
`1491`	`1492`	`"Orca Security Alerts": ["title", "component_name"],`
`1492`	`1493`	`}`
`1493`	`1494`
`@@ -1753,6 +1754,7 @@ def saml2_attrib_map_format(din):`
`1753`	`1754`	`"OpenVAS Parser v2": DEDUPE_ALGO_HASH_CODE,`
`1754`	`1755`	`"Snyk Issue API Scan": DEDUPE_ALGO_HASH_CODE,`
`1755`	`1756`	`"OpenReports": DEDUPE_ALGO_HASH_CODE,`
	`1757`	`+ "IriusRisk Threats Scan": DEDUPE_ALGO_HASH_CODE,`
`1756`	`1758`	`"Orca Security Alerts": DEDUPE_ALGO_HASH_CODE,`
`1757`	`1759`	`}`
`1758`	`1760`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+"Component","Use case","Source","Threat","Risk Response","Inherent Risk","Current Risk","Countermeasure progress","Weakness tests","Countermeasure tests","Projected Risk","Owner","MITRE reference","STRIDE-LM"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+"Component","Use case","Source","Threat","Risk Response","Inherent Risk","Current Risk","Countermeasure progress","Weakness tests","Countermeasure tests","Projected Risk","Owner","MITRE reference","STRIDE-LM"`
	`2`	`+"Router","Elevation of Privilege","Created by Rules Engine","Accessing functionality not properly constrained by ACLs","Planned mitigation: 0%. Mitigated: 0%. Unmitigated: 100%.","High","High","0%","Not tested","Not tested","High",,,`